Re: [PATCH net-next 0/6] netfilter: fixes for net-next

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH net-next 0/6] netfilter: fixes for net-next
Date: Thu, 25 Sep 2025 00:29:17 +0200	[thread overview]
Message-ID: <aNRwvW4KV1Wmly0y@calendula> (raw)
In-Reply-To: <20250924140654.10210-1-fw@strlen.de>

Trimming Cc:

On Wed, Sep 24, 2025 at 04:06:48PM +0200, Florian Westphal wrote:
> Hi,
> 
> The following patchset contains Netfilter fixes for *net-next*:
> 
> These fixes target next because the bug is either not severe or has
> existed for so long that there is no reason to cram them in at the last
> minute.
> 
> 1) Fix IPVS ftp unregistering during netns cleanup, broken since netns
>    support was introduced in 2011 in the 2.6.39 kernel.
>    From Slavin Liu.
> 2) nfnetlink must reset the 'nlh' pointer back to the original
>    address when a batch is replayed, else we emit bogus ACK messages
>    and conceal real errno from userspace.  From Fernando Fernandez Mancera.
>    This was broken since 6.10.

Side note: nftables userspace does not use this feature. This is used
by a tool that is not in the netfilter.org repositories, to my
knowledged.

> 3) Recent fix for nftables 'pipapo' set type was incomplete, it only
>    made things work for the AVX2 version of the algorithm.
> 
> 4) Testing revealed another problem with avx2 version that results in
>    out-of-bounds read access, this bug always existed since feature was
>    added in 5.7 kernel.  This also comes with a selftest update.
> 
> Last fix resolves a long-standing bug (since 4.9) in conntrack /proc
> interface:
> Decrease skip count when we reap an expired entry during dump.
> As-is we erronously elide one conntrack entry from dump for every expired
> entry seen.  From Eric Dumazet.
> 
> Please, pull these changes from:
> The following changes since commit dc1dea796b197aba2c3cae25bfef45f4b3ad46fe:
> 
>   tcp: Remove stale locking comment for TFO. (2025-09-23 18:21:36 -0700)
> 
> are available in the Git repository at:
> 
>   https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-25-09-24
> 
> for you to fetch changes up to c5ba345b2d358b07cc4f07253ba1ada73e77d586:
> 
>   netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack (2025-09-24 11:50:28 +0200)
> 
> ----------------------------------------------------------------
> netfilter pull request nf-next-25-09-24
> 
> ----------------------------------------------------------------
> Eric Dumazet (1):
>       netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack
> 
> Fernando Fernandez Mancera (1):
>       netfilter: nfnetlink: reset nlh pointer during batch replay
> 
> Florian Westphal (3):
>       netfilter: nft_set_pipapo: use 0 genmask for packetpath lookups
>       netfilter: nft_set_pipapo_avx2: fix skip of expired entries
>       selftests: netfilter: nft_concat_range.sh: add check for double-create bug
> 
> Slavin Liu (1):
>       ipvs: Defer ip_vs_ftp unregister during netns cleanup
> 
>  net/netfilter/ipvs/ip_vs_ftp.c                     |  4 +-
>  net/netfilter/nf_conntrack_standalone.c            |  3 ++
>  net/netfilter/nfnetlink.c                          |  2 +
>  net/netfilter/nft_set_pipapo.c                     |  9 ++--
>  net/netfilter/nft_set_pipapo_avx2.c                |  9 ++--
>  .../selftests/net/netfilter/nft_concat_range.sh    | 56 +++++++++++++++++++++-
>  6 files changed, 73 insertions(+), 10 deletions(-)

next prev parent reply	other threads:[~2025-09-24 22:29 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-24 14:06 [PATCH net-next 0/6] netfilter: fixes for net-next Florian Westphal
2025-09-24 14:06 ` [PATCH net-next 1/6] ipvs: Defer ip_vs_ftp unregister during netns cleanup Florian Westphal
2025-09-25  0:50   ` patchwork-bot+netdevbpf
2025-09-24 14:06 ` [PATCH net-next 2/6] netfilter: nfnetlink: reset nlh pointer during batch replay Florian Westphal
2025-09-24 14:06 ` [PATCH net-next 3/6] netfilter: nft_set_pipapo: use 0 genmask for packetpath lookups Florian Westphal
2025-09-24 14:06 ` [PATCH net-next 4/6] netfilter: nft_set_pipapo_avx2: fix skip of expired entries Florian Westphal
2025-09-24 14:06 ` [PATCH net-next 5/6] selftests: netfilter: nft_concat_range.sh: add check for double-create bug Florian Westphal
2025-09-24 14:06 ` [PATCH net-next 6/6] netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack Florian Westphal
2025-09-24 22:29 ` Pablo Neira Ayuso [this message]
2025-09-24 22:57   ` [PATCH net-next 0/6] netfilter: fixes for net-next Fernando Fernandez Mancera
2025-10-06 14:58     ` Nikolaos Gkarlis
2025-10-06 17:02       ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aNRwvW4KV1Wmly0y@calendula \
    --to=pablo@netfilter.org \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.